A Mainframe Security Rosetta yStone – Translating Between Mainframe Security ProductsReg Harbeck

2009-08-24Session #5461

A dAgenda

• What’s a Rosetta Stone?• About this session• Introducing the z/OS security packages

• RACFRACF• ACF2• TSS

• Mapping the concepts and commandspp g p• Where to find out more• Q&A

2

Wh t’ R tt St ?What’s a Rosetta Stone?• The Rosetta Stone is a stone with writing on it in two languages

(Egyptian and Greek) using three scripts (hieroglyphic demotic and(Egyptian and Greek), using three scripts (hieroglyphic, demotic and Greek)

• Knowing one enabled learning the other two

3

(See http://www.ancientegypt.co.uk/writing/rosetta.html for more.)

Wh t Thi P t ti i N tWhat This Presentation is Not

• A Roadmap for converting between mainframe security• A Roadmap for converting between mainframe security

products

• A Sales Pitch for any specific security product(s)

• Exhaustive or highly-detailed or expert-level

• Perfectly unbiased (but I’ll try)

4

Th G l f thi S iThe Goal of this Session

• To build on your knowledge of one (or more) mainframe y g ( )security products to introduce the other(s)

• To review the basic concepts of mainframe security• To show how each security package maps to them from a• To show how each security package maps to them from a

high-level• To review some sample constructs and commands and

h th b t d thow they map between products• To increase appreciation of mainframe security in general

5

I t d i th /OS S it P kIntroducing the z/OS Security Packages

• RACF• CA ACF2• CA Top Secret (TSS)• All use SAF• All use SAF

• System Authorization Facility• Invoked for security access checks, passes the request along to the appropriate

security system

• All have Security Databases (“Directories”)• Not X.500 directories but highly-efficient legacy systems• Now accessible from X.500 via LDAP

6

RACFRACF

• Resource Access Control FacilityResource Access Control Facility• The original mainframe security system (1976)

• Unless you count UADS, the password file and dataset protection bits

• Uses dataset protection bits with discrete profiles; deleted with protected objectwith protected object

• Generic profiles more policy-based, not attached to objects secured

• IDs are called “user IDs”

7

RACFRACF

• Four kinds of security profiles:Four kinds of security profiles:• User• Group

E h b l t t l t G• Each user belongs to at least one Group• Dataset• General ResourceGe e a esou ce

• Both Dataset and General Resource profiles may be Discrete or Generic, and both have Access Lists

• Security database• Security database• One primary and one secondary (backup)

8

CA ACF2CA ACF2

• “Access Control Facility 2” aka “ACF2”y• Developed by SKK (Schrager Klemens and Krueger) in 1978

and marketed by Cambridge• Cambridge was acquired by UCCEL, who was acquired by

CA in 1987

• “Resource Oriented”• Resources are defined and permitted through rules

• IDs are called “LIDs” (for Logon IDs)• Are substrings of UID strings which are used for access

d t i ti

9

determination

CA ACF2CA ACF2

• UID (user identification) String:• 1-24 character long “pseudo field” constructed of logonid record fields such as department,

location, job function and logonid• Allows for grouping of users• Often contains user-defined fields• Allows grouping in access rules• Multi-valued Logonid fields-allow multiple views of a single UID• Example: @UID LOC, DIV, DEPT, JOBF, LID

CH F OP SCH TLC492CH F OP SCH TLC492LOC = ChicagoDIV = Finance & Data ProcessingDEPT = OperationsJOBF = SchedulerLID TLC492LID = TLC492

10

CA ACF2CA ACF2

• Rules:$KEY(SYS1)BRODCAST UID(CHFSPSYS) R(A) W(A) A(L) E(A)BRODCAST UID(*) R(A) W(A)PARMLIB UID(CHFSPSYS) R(A) W(A) A(L) E(A)PARMLIB UID(CHFSPSYS) R(A) W(A) A(L) E(A)PARMLIB UID(*)PROCLIB UID(CHFSPSYS) R(A) W(A) A(L) E(A)

• Edited, Compiled, Optionally Decompiled• Default deny• Eg. SYS1.PARMLIB: Chicago (CH) Finance & DP (F) Systems Programming

(SP) SYSPROG (SYS) = Read(Allow), Write(Allow), Alter(Log but Allow), Execute(Allow)

11

CA ACF2CA ACF2• Three VSAM key-sequenced data sets

• Logonid database• Logonid database• One record per logonid• Central source for most user data*

• *Other user data on Infostorage Profile records g

• Rule database• Contains all data set access rules

• Infostorage database – includes the following records:• Infostorage database – includes the following records:• GSO (global system options)• Resource rules (all non-data-set access rules)• XREF (cross-reference records)XREF (cross reference records)• SCOPE (limit the authority a specially privileged user has)• SHIFT (define periods of time when access is permitted or prevented)• PROFILES (security information extracted by SAF

12

PROFILES (security information extracted by SAF RACROUTE=EXTRACT)

CA T S tCA Top Secret

“Top Secret” aka “TSS”• “Top Secret” aka “TSS”

• Developed by CGA Software Products Group in 1981

• Acquired by CA in 1985

13

CA T S tCA Top Secret

• Security database: one filey• IDs are called “ACIDs” (pronounced ay-sids, for ACcessor

IDs)• Tree Structured

• Everything (including ID’s) owned by someoneMSCA (M t S it C t l ACID) i t th t f th t• MSCA (Master Security Control ACID) is at the top of the tree

• Resources “owned” and “permitted”• By/to ACIDs Zones Divisions Departments PROFILEs and• By/to ACIDs, Zones, Divisions, Departments, PROFILEs and

“ALL Record”

14

CA T S tCA Top Secret• Hierarchical organization

ZZ

MSCA

North ZoneZoneEtc…

NW NE

Systems Ops Apps Sales Mktg

Division

DepartmentSystems Ops Apps

UsrA UsrB

Sales Mktg Department

UsersUsrC Usr1 Usr2 Usr3

15

D fi i IDDefining IDs

• RACF:RACF:ADDUSER user_id DFLTGRP(group) PASSWORD(pwd)

• ACF2:SET LIDSET LIDINSERT logonid PASSWORD(pwd)

• TSS:TSS CREATE(accessorid) DEPARTMENT(dept) PASSWORD(pwd)

16

C t lli S t E tControlling System Entry• Batch

• RACF:• SETROPTS JES(BATCHALLRACF) forces all BATCH users to

be defined to RACF• SETROPTS CLASSACT(JESJOBS)• PERMIT SUBMIT.node.job.userid CLASS(JESJOBS) ID(userid)

ACCESS(READ)( )• ACF2:

• Specify the JOBCK option of the GSO OPTS record• SET LID• SET LID• CHANGE logonid JOB

• TSS:

17

• TSS ADDTO(acid) FACILITY(BATCH)

C t lli S t E tControlling System Entry

• TSO• Master Catalog Alias, SYS1.UADS• RACF:

• ALTUSER userid TSO(ACCTNUM(accnum) PROC(logonproc))• ACF2:

• SET LIDSET LID• CHANGE logonid TSO

• TSS:TSS ADDTO( id) FACILITY(TSO)• TSS ADDTO(acid) FACILITY(TSO)

18

C t lli S t E tControlling System Entry

• CICSCICS• RACF:

• ALTUSER userid CICSACF2• ACF2:• SET LID• CHANGE logonid CICS

• TSS: • TSS ADDTO(acid) FACILITY(CICS)

19

R ki /S di A tRevoking/Suspending Accounts

• RACF:RACF:• ALTUSER userid REVOKE

• ACF2:• SET LID• CHANGE logonid SUSPEND

• TSS:• TSS: • TSS ADDTO(acid) SUSPEND

20

AAccess

• Defining Security for Datasetsg y• RACF:

• Discrete profile:ADDSD 'dsname‘ UACC(access)( )

• Generic profile:ADDSD 'dsname-incl-generic-char‘ UACC(access)

• orADDSD 'dsname‘ UACC(access) GENERIC

• ACF2:$KEY(high-level-qualifier)$ ( g q )dsname-extent UID(pattern-for-UIDs) R(A) and/or other accesses

• TSS:TSS ADDTO(acid) DSNAME(dsname)

21

TSS ADDTO(acid) DSNAME(dsname)

AAccess

• Permitting Access to DatasetsPermitting Access to Datasets• RACF:

• PERMIT ‘dsname-or-profile ‘ ID(userid) ACCESS(access)ACF2• ACF2:$KEY(high-level-qualifier)dsname-extent UID(pattern-for-UIDs) R(A) and/or other accesses

• TSS:TSS PERMIT(acid) DSNAME(dsname) ACCESS(access)

22

AAccess

• Grouping AccessGrouping Access• RACF:

CONNECT userid GROUP(group)ACF2• ACF2:SET LIDCHANGE logonid DEPT(dept)

• TSS:TSS ADDTO(acid) PROFILE(profilename)

23

P dPasswords

• Changing a PasswordChanging a Password• RACF:

PASSWORD PASSWORD(newpwd) USER(userid)ACF2• ACF2:SET LIDCHANGE logonid PASSWORD(newpwd)

• TSS:TSS REPLACE(acid) PASSWORD(newpwd)

24

Di it l C tifi tDigital Certificates

• PKI / X.509PKI / X.509• Use public/private keys• Enable more secure authentication, non-repudiationEnable more secure authentication, non repudiation• On z/OS you can use, administer and export keys

25

Di it l C tifi tDigital Certificates• To Add a Certificate

• RACF:C• RACDCERT ID(SYSMAN) ADD(MY.CERT) WITHLABEL('MIGRATED.K

EY') PCICC(*)

• ACF2:• Set profile(user) div(certdata)• INSERT SYSMAN.cert DSN(‘MY.CERT’) LABEL(MIGRATED.KEY)

TRUST PCICC PKDSLBL(*)

TSS:• TSS:• TSS ADD(sysman) DIGICERT(EKMAUT01) HITRUST +

DCDSN(‘MY.CERT’') + LABLCERT(‘MIGRATED.KEY') PCICC +

26

LABLCERT( MIGRATED.KEY ) PCICC LABLPKDS('IRR.DIGTCERT.CERTAUTH.EKMAUT01')

Di it l C tifi tDigital Certificates

• To Export a Certificate to z/OS dataset “MY.CERT”• RACF:

• RACDCERT ID(SYSMAN) EXPORT(LABEL('SECURE.KEY')) DSN(MY.CERT)

FORMAT(CERTDER)FORMAT(CERTDER)

• ACF2:• Set profile(user) div(certdata)• Set profile(user) div(certdata)• EXPORT SYSMAN LABEL(SECURE.KEY) DSN(‘MY.CERT’)

FORMAT(CERTDER)

• TSS:• TSS EXPORT(sysman) DIGICERT(EKMAUT01) +

DCDSN(‘MY.CERT') +

27

( )FORMAT(CERTDER)

Di l i U S it S ttiDisplaying User Security Settings

• Listing a user’s informationListing a user s information• RACF:

LISTUSER useridACF2• ACF2:SET LIDLIST logonid

• TSS:TSS LIST(acid)

28

M i f S it B iMainframe Security Basics

• ModesModes• Initial Installation• Implementation• Locked-down

• RACF:• WARNING operand on the ADDSD, RDEFINE, ALTDSD, and RALTER commands• SETROPTS NOPROTECTALL | PROTECTALL specifies security for all datasets| p y

• PROTECTALL requires SETROPTS GENERIC(DATASET)

• SETROPTS PROTECTALL(WARNING)

• ACF2:• MODE=(QUIET | LOG | WARN | ABORT | RULE)

• TSS:• MODE(DORM | WARN | IMPL | FAIL)

29

Ad i A th itAdmin Authority

• RACF:RACF:• SPECIAL, AUDITOR, OPERATIONS Attributes; scoped

using group-versionsCLAUTH A d P fil O hi• CLAUTH, Access and Profile Ownership

• ACF2:• ACCOUNT SECURITY LEADER CONSULT USERACCOUNT, SECURITY, LEADER, CONSULT, USER• Scoped by SCPLIST field defined in logonid record

• TSS:• ACID types: User, DCA, VCA, ZCA, LSCA, SCA

30

Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.

Si Wi t Ch hill (1874 1965)Sir Winston Churchill (1874 - 1965)

31

Wh t Fi d O t MWhere to Find Out More

• CA ACF2 Cookbook, CA Top Secret Cookbook andCA ACF2 Cookbook, CA Top Secret Cookbook and related manuals• Available on-line at support.ca.com

• For more certificate information see support.ca.com documents TEC448158 for ACF2 and TEC436087 for Top Secret

• IBM RACF Manuals and Red Books• Available on-line at ibm.com

32

Q ti / Di iQuestions / Discussion

33